Equifax to Pay up to $700 Million to Consumers, Authorities Over 2017 Breach

Equifax and U.S. government agencies announced on Monday that the credit reporting agency is prepared to pay up to $700 million to settle charges related to the massive 2017 data breach that impacted roughly 147 million people.

According to the U.S. Federal Trade Commission (FTC), Equifax has agreed to pay at least $575 million, but the amount could be increased to $700 million if necessary. The money will be used to compensate consumers and settle charges brought by the FTC, the Consumer Financial Protection Bureau (CFPB), and 50 states.

Equifax will set up a $300 million fund to provide credit monitoring services to affected customers and compensate them for credit and identity monitoring services and other expenses for which they paid themselves in response to the data breach.

In addition, $175 million will be paid to 48 states, the District of Columbia and Puerto Rico, and $100 million represents civil penalties paid to the CFPB.

On a website set up by Equifax for the consumer class action settlement, the company has pointed out that a federal court will need to approve the deal. If the settlement is approved, customers can receive free credit monitoring or $125 in cash if they already benefit from credit monitoring services for at least another 6 months. Impacted customers are also eligible for up to $20,000 in cash for the time spent dealing with the breach, including for losses resulting from the incident, and dealing with fraud, identity theft or other misuse of personal information.

“Equifax denies any wrongdoing, and no judgment or finding of wrongdoing has been made,” the company said on the consumer settlement website.

As part of the settlement with authorities, Equifax has also agreed to implement a comprehensive cybersecurity program, which will be assessed every two years by a third party.

“This comprehensive settlement is a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company,” said Mark W. Begor, CEO of Equifax. “The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data - and reflects the seriousness with which we take this matter. We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement while continuing our $1.25 billion EFX2020 technology and security investment program. We are focused on the future of Equifax and returning to market leadership and growth.”

Hackers gained access to a database associated with Equifax’s Automated Consumer Interview System (ACIS) after the company failed to address a critical vulnerability it learned of a couple months earlier. The attackers gained access to the database in mid-May 2017 and made roughly 9,000 unauthorized database queries before Equifax detected suspicious activity in July 2017.

The hackers gained access to names, social security numbers, dates of birth and other information belonging to over 145 million individuals. Roughly 209,000 payment card numbers and associated expiration dates were also compromised.

Following the disclosure of the incident, Equifax was accused of failing to implement a policy for efficiently patching vulnerabilities, failing to segment its network to prevent attackers from moving laterally, failing to install robust intrusion detection systems, and storing sensitive information in plain text.

“I’m far from an Equifax apologist, but the truth is it could have been anyone. It’s not an excuse, but rather the reality we live in,” Adam Laub, CMO of STEALTHbits Technologies, told SecurityWeek.

“The best outcome isn’t Equifax making the situation right - although that is important for all of those affected - it’s everyone else learning that the price to be paid outweighs the inconvenience of ensuring proper measures are taken to secure the data that puts them at risk in the first place. And it’s got to be from the ground up too. There’s no silver bullet. There’s no one thing that mitigates the exposure. A multi-layered, multi-faceted approach is critical to making the juice not worth the squeeze for bad actors looking to score quickly and easily,” Laub added.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.